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DISCLAIMERS 


This ИШЕ ӨШ presentation IBS not endorsed ШИШ has nothing to do ШШ ШШ current DHS/TSA, ЮШ or ШШ 
шин ABI B E п 

иши шш киш НЕН шш иш кишин no 

ШЕ comments 8 opinions expressed herein аге ШШ HM and NOT those of ME БЕНЕН с БЕНЕН сс ШЕШШ 
ШЕШЕ. 

ШШЕН (: ШШ Ас: 08 ЕЕЕ БЕН ШШ ЕН NOM ee 

Use at your own risk 

Not responsible for death, ЮАН E ШИН lavyers, dismemberment, ЕН ШИШ EN E ШШ ИШ ШИШ  -с.-. of 
war, acts of deities, acts of MEN EB ШЕШЕ in warzones, NEN № EMME, (oss of ШШ ШЕ MMM, dry mouth 

Not appropriate for children under 6” tall, small parts present a choking hazard to those lacking object permanence 
We are not responsible for your poor decision making 

Call before you dig 

If Frog begins to emit a 2600 HZ tone, deposit Frog in nearest AT&T phone booth 

Do ШШ try this at home 

Not affiliated with the University of Florida or any other institution of higher learning 

Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or 
otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by us or competence 
by the United States Government 

The user takes full responsibility for everything and anything that could and/or does go wrong resulting in any kind 
or type of problem, difficulty, embarrassment, loss of money or goods or services or sleep or anything else whatsoever 


ET MORE DISCLATMERS (YOU THOUGHT YOU WERE FREE 


e Unless the word absquatulation has been used in its correct context somewhere other than in this warning, it does 
not have any legal or grammatical use and may be ignored 
No animals were harmed in the creation of this presentation, one of you will accuse us of this regardless 
Those of you with an overwhelming fear of the unknown will be gratified to learn that there is no hidden message 
revealed by reading this warning backwards 
ШШ ШИ ШЕ anc МОТ those of ME Zo ШИШ БЕН ШШ Е ПИШ 
You are advised that urgent, time sensitive and confidential communications should not be sent by e-mail. You agree 
that you will not use e-mail correspondence for unlawful purposes or in contravention of Laws on electronic 
communications 

° This presentation is intended for the use of the individual attendees in the audience and may contain information 
that is confidential, privileged or unsuitable for overly sensitive persons with low self-esteem, no sense of 
humour or irrational religious beliefs, any dissemination, distribution or copying of this slide deck is MEM 
authorised (either explicitly or implicitly or Ш) and constitutes an irritating social faux pas 
| WE STILL БЕН ARE NOT ЕЕ ШЕН БЕН ПШ LABEM | 

° We do not endorse any activity or recommend it to any particular person - we simply describe our experiences and 
opinions; If you choose to engage in these activities it is by your own free will and at your own volition 
Use your brain and common sense when engaging in any activity or making any modifications 
Remember: Safety first, always use common sense; Never do more than you are comfortable with; Always wear safety 
belts and use all appropriate safety equipment 


WHAT ARE TSA APPROVED LOCKS! 


e Introduced to address TSA policy of destructively opening 
locked luggage for screening in 2003 

e Proprietary systems with Little public information for 
review 

e Designed to be opened with one of several “master” keys 
provided to the TSA, customs, law enforcement, etc (both 
US and foreign agencies) - a form of key escrow 

e May be keyed (owner gets a key that operates the lock) or 
combination (owner receives no key) 

e Two competing standards (Travel Sentry and Safe Skies) 


WHAT ARE TSA APPROVED LOCKS! 


e Travel Sentry sets standards for the override 
keys and mechanisms then Licenses those 
Standards to “hundreds” of manufacturers 
Dominant standard in the consumer market Р 7 
Currently offers 7 known override keys numbered ЖКЖ 
as Т5А001-Т5А007 TRAVEL SENTRY’ 


APPROVED 


Travel Sentry ®, an organization that provides security solutions to the travel industry, announced today a new baggage locking system that allows airline 
passengers to lock their bags without interfering with the Transportation Security Administration's (TSA) need to open bags for inspection. 


"TSA is ready to work with any industry in developing practical solutions that contribute toward our goal of providing world-class security and world-class customer 
service," said Ken Lauterstein, Program Manager for Checked Baggage Screening Operations in TSA's Office of Aviation Operations. 

12 November 2003 - http://www.travelsentry.org/en/press-release/2003/pr-12-november.php 

(Remember these quotes for later) 


WHAT ARE TSA APPROVED LOCKS! 


e Safe Skies manufactures locks under their own 
competing standard 

e Only offers a single override key (labeled as 
TSA Safe Skies) 
Has sued Travel Sentry for patent infringement 
Smaller market share than Travel Sentry 
All available information indicates only one 


® 


. " . Protected by US Patents 
override/master key for their entire system 7,021,537 and 7,036,728 


WHAT 15 KEY ESCROW! United Stats Рона Service lek 


owner/users gets an access token 
3rd party (typically Gov’t) get a 
separate access token held in 
‘escrow’ 

e 3rd party is only allowed to use 
escrowed token under specific 
situations 


е USPS multi-dwelling unit mailboxes private owner locks 
work on this principle USPS lock gives letter carrier 
e Proper function requires 3rd party access to all boxes, owner locks 


ў А give access to individual boxes. 
complies with the rules 

image source: http://hubpages.com/living/USPS- 
Approved-Mailboxes---FAQ 


MASTER KEYS 


The following represents a schematic of a level three (GMK) system. 
Your system may vary somewhat from this. 


(HSKP) Housekeeping Key 
(Selective Master Key) 


janitor 
(HSKP) AD7- AD10 


Access Control Override 
SKD1 


It can get complicated quickly (also, really expensive) 


THE TSA WENT FOR SOMETHING A BIT SIMPLER 


Less simple, slightly more secure. 


We now have 8 master keys to compromise but, a bad 
(internal) actor can still grab them on a single keyring. 
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Travel Sentry Safe Skies 


TSAQO01 TSA002 TSAO03 TS5AO004 TSA005 Safe Skies 


Change Key Change Key Change Key Change Key Change Key Change Key Change Key Change Key 


TRAVEL SENTRY KEY COMPROMISE 


Travel Sentry and the TSA are bad at data classification and 
key escrow security. 


TRAVEL SENTRY KEY COMPROMISE 


Travel Sentry and the TSA are bad at data classification and 
key escrow security. 
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TRAVEL SENTRY KEY COMPROMISE 


Travel Sentry and the TSA are bad at data classification and 
key escrow security. 


About 14 million checked bags passed through TSA hands during the Thanksgiving 
holiday weekend. 
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Security officers have азуу Кох fer ER App proved baggage locks. 
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©kRyetronics on Instagram 


TRAVEL SENTRY КІ 


Travel Sentry anı 
key escrow secur’ 


©Ryetronics on Instagram 


Guide to Travel Sentry Passkeys - May 1 2008 


ТЗА002 - Original — never changed 


ТЗА003 - Black metal version 
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TSA004 - Original — never changed 


ТЗА007 - Original — never changed 


Sensitive Information — do not post, copy or disseminate 


>Lassification and 


›а95 passed through TSA hands during the Thanksgiving 


The Washington Post 


(8 for TSA-approved baggage locks. 


One Gas Pump Key Lets Thieves Steal Your ID 
с 


А-а classification and 


checked bags passed through TSA hands during the Thanksgiving 


The NBC Bay Area Investigative Unit has found a single master key grants access 


to gas pumps across the state and it s giving easy access to thieves looking to 
compromise Bay Area drivers credit card information. Vicky Nguyen first aired this 
story Nov. 8 at 11 p.m. 2 () 


‚ master keys for TSA-approved baggage locks. 


The Washington Post 


One Gas Pump Key Lets Thieves Steal й NEW POST 
GO — ГЕ © i с ) Э 
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Тһе $8 key that can open New 
York City to terrorists 


By Susan Edelman September 20, 2015 | 5:22am 


The NBC Bay Area Investigative Unit has found a single master key grants ғ 


to gas pumps across the state and it s giving easy access to thieves looking 


compromise Bay Area drivers credit card information. Vicky Nguyen first aire 
story Nov. 8 at 11 p.m. 


A Post reporter bought this key to the city online — with no questions asked. 


TRAVEL SENTRY KEY COMPROMISE 


Travel Sentry and the 
TSA are bad at data 
classification and 
key escrow security. 


Real Bad 


Т5А007 - Original — never changed 
cR — 
Sensitive Information — do not post, copy or disseminate 


And yet you did exactly that. 


*** They left it at https://www.travelsentry.org/security/pdf/Guide to TravelSentry Passkeys 1 October 2012-EN.pdf and 
didn't notice for months. *** 


PHOTOS ARENT THE SAME AS HANDING QUT KEYS, RIGHT! 


e Oops, nope. Just as bad if not worse. (You can’t email a 
physical object) 

e Researchers in academia and the security community have 
been warning about key duplication from photos for years 

e At least two business (Key.me and Keysduplicated.com) 
offer this as their primary service 

e TOOOL.nl and others have even demonstrated using this 
technique for High Security keys and locks 


*Showing Keys in Public - What Could Possibly Go Wrong?" Jos Weyers, HOPE X, July 19, 2014 
“Copying keys from photos is child's play” The Guardian, November 14, 2008 (Sneakey project) 
*Methods of Copying High Security Keys" Barry Wels and Han Fey, The Last HOPE, July 19, 2008 
AutoKey3D (formerly PhotoBump) Presented at LockCon 2014 and released on GitHub by Christian 
Holler (https://github.com/choller/autokey3d) 
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ОШ WITH 3D PRINTING 
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е @DarkSim905, @Xylitol, 
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Take images 

Raytrace 

3D CAD 

3D print those suckers 
and test 

Refine, reiterate 
GitHub! 

Refine, reiterate 


3D TSA "Travel Sentry" master keys 


Recently, pictures of TSA master baggage keys got leaked by the Washington Post and also PDFs 
hosted on TravelSentry's Website. This repo is a reproduction attempt 


Security researchers have long warned of the dangers of using master-keyed locks 


The TSA has issued an official statement making it known that they don't even care that we've done 
this, as the now-pointless locks affect theft prevention, not airline safety. 


[!] Important: These keys have not been widely-tested, though we do have reports that many do 
work from at least one source. 006 May never work, as we're not sure of the depth of the 
"dimples," and also consumer-grade 3D printers may not be up to such finely-detailed tasks 


Added the stubby versions of the keys by MS3FGX, which appear to still work fine ! 


JD PRINTING KEYS 15 A REALLY DUMB IDEA 


e Torsion strength of materials is often less than is 
necessary 
o Even when they do work, you rarely get more than a few uses out of a 
single key 
e Materials expand / contract while cooling, resulting ina 
final product that can deviate significantly from the 
design 


e Filing our own metal keys 15 very easy. 


DEALING WITH THE MEDIA 


DEALING WITH THE MEDIA 
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Content is rarely, if ever fact checked. 
Most news outlets: 
o At best are now nothing more 
than Twitter aggregates 
o At worst, they are news outlet 
aggregates 
Attempts to contact the "journalists" to 
have corrections made were almost 
universally met with radio silence 


The geniuses @ТЗА require us to use luggage 
locks for which they have master keys. Now we 


DEALING WITH THE MEDIA 


e OK, yes, there are still good journalists who care about presenting a story 
factually and properly 
o Brian Krebs (Krebs on Security) 
Jenna McLaughlin (The Intercept) 
Cory Doctorow (Boing Boing) 
Jose Pagliery (CNN Money) 
Andy Greenberg (Wired) 
Steve Ragan (CSO Online) 
Bruce Schneier (Schneier on Security) 


O OO 0 оо 


e Note they're mostly tech journals, which muggles don't read :/ 


STING AND REFINING 


Image courtesy Johnny Xmas 
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A comparison of 
Т5А007 
keyways and 
mechanisms 
showing the 
varying 
dimensions and 
mechanisms 
between 
designs 


Images courtesy The CORE 
Group and Deviant Ollam 


See http://enterthecore. 
net/tsa007/ 
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ROGUE KEYS, MOCK-UPS, 
IMPRESSTONING, AND DECODING 


30, NOTHING LEFT TO DO, RIGHT! 


Not quite. Remember, two competing standards? Only 
one compromised by leaked images and docs. Also not 
everyone has a 3D printer or the cash to buy 
printer time from Shapeways. 


So what do we do? Fall back on century old 
techniques: 


1. ID and source compatible blanks (or modify 
‘user’ keys) 

2. Impression the hell out of some locks 

3. Adopt, adapt, improve. 


NO SAFE SKIES, YOU CAN'T FEEL SMUG EITHER 


First, we need key blanks. 
What if we can’t find them? We make our own. 
The easy way: sheet styrene from a hobby shop and some glue 


The hard way: find a blank that is close and introduce it to 
a Dremel tool 


NO SAFE SKIES, YOU CAN T FEEL SMUG EITHER 


Okay we have our blanks but this is going to be a long brute 
force slog right? 


Safe Skies committed the one of the cardinal sins of key 


security. 
They used a single key for both master keyed and non-master 


keyed locks. 
«а Big difference in complexity => 


Deviant Olam 


MASTER KEYING 


A regular pin-tumbler lock only has 
a pair of pins in each chamber 
which creates only one possible 


key. 

Adding more pins to 
each stack creates 
extra possible keys. 

1 master pin = 2 keys 
2 master pins = 4 keys 
3 master pins = 8 keys 
4 master pins = 16 
keys 


and so on following 
the formula of 2^x 
where x is the number 
of master pins 


Images courtesy David Knauer 


NO SAFE SKIES, YOU CAN T FEEL SMUG EITHER 


Physical access with no monitoring means we can get messy. 


Take non-mastered lock, introduce a Dremel tool 
Remove override cylinder 


Decode and fit homemade blanks 
2727 
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Exploit! 


WHAT DOES THE TSA THINK! 


“The reported ability to create keys for TSA- 
approved suitcase locks from a digital image does 
not create a threat to aviation security. These 
consumer products are “peace of mind” devices, 
not part of TSA’s aviation security regime. Carried 
and checked bags are subject to the TSA’s 
electronic screening and manual inspection. In 
addition, the reported availability of keys to 
unauthorized persons causes no loss of physical 
security to bags while they are under TSA control. 
In fact, the vast majority of bags are not locked 
when checked in prior to flight.” 


-TSA spokesperson Mike England 
https://theintercept.com/2015/09/16/tsa- 
doesnt-really-care-luggage-locks-hacked/ 


p——— 


3D TSA "Travel Sentry" master keys 


Recently, pictures of TSA master baggage keys got leaked by the Washington Post and also PDFs 
hosted on TravelSentry's Website. This repo is a reproduction attempt 


Security researchers have long warned of the dangers of using master-keyed locks 


The TSA has issued an official statement making it known that they don't even care that we've done 
this, as the now-pointless locks affect theft prevention, not airline safety 


[!] Important: These keys have not been widely-tested, though we do have reports that many do 
work from at least one source. 006 May never work, as we're not sure of the depth of the 
"dimples," and also consumer-grade 3D printers may not be up to such finely-detailed tasks 


Added the stubby versions of the keys by MS3FGX, which appear to still work fine ! 


SCI STANTON CONCEPTS, LLC 


FUTURE TSA's Challenge, too many keys: 


SYSTEMS e "Keys are a BIG рат in the #@%$” senior Management 
• 450 Airports 


(STANTON күн 


* Key Ring Contains all TSA Keys: 
«Т5А001 - Ningbo et al 


*TSA002 - Sinox et al 

( ( N ( [ р | | *TSA003 - Fullyear-Brother et al 
*TSA004 - CCL et al 
*TSA005 - Sun Lock et al 

( f N ) *Т5А007 - Yi Feng et al 
*“SAFE SKIES" 


8” Side Cutting Electricians Pliers (the grand master key) 


| M | ( SA L) *24” Bolt Cutters (the supreme grand master key) 


• “Would rather just cut the locks off” Senior Management 


3/25/2010 www.stantonconcepts.us 8 


FUTURE SYSTEMS 
(STANTON 
CONCEPTS GEN 2 
PROPOSAL) 


SCI recognises why the 
existing system is bad 
for the traveling public 


| STANTON CONCEPTS, LLC 


The Consumer's Challenge: More for Less 


* Existing Products Offer Low Security: 
*1 Key opens 10's of millions of locks of the same family 
*Locks easily picked: 
* YouTube ~750 videos on bypassing luggage locks 
* Google ~85,000 results from “TSA Lock Picking" query 
* Keys are copied: 
*Instructional videos on the Web 
*Easily duplicated 
“ЗО printing 
* No Tamper Indication 
* Current products easy to bypass, and no indication of violation 


* Cost 


3/25/2010 www.stantonconcepts.us 10 


SCI STANTON CONCEPTS, LLC 


FUTURE SYSTEMS SCl’s Next Generation Lock: 


Patent Pending 


(STANTON How It Works: Easy for TSA to Open & Close 
CONCEPTS GEN / 
PROPOSAL) 


SCI recognises why the 
existing system is bad 
for the traveling public 


So they make it worse! Clip Cup with 
standard tool 777 Inspect => Advance New Cup 


(8” Pliers) 
3/25/2010 www.stantonconcepts.us 15 


50 WHAT NOW? (FOR THE TRAVELING PUBLIC) 


TSA Approved Locks were never secure to begin with and 
most Luggage isn’t either 
Remember criminals have had access to these keys or 


subtle destructive techniques for years 
o Theft by airline and TSA staff is common and easily hidden 
The only real change is that now YOU know 
o Use tamper evident seals 
o Remember this every time a government official claims to need more 
access and authority 


o Avoid valuable or sensitive items in 
checked bags. This is the only failsafe. 


S0 WHAT NOW? (FOR THE SECURITY COMMUNITY) 


Use this to explain why Key Escrow crypto systems in 
government hands are unsafe 


Every security system is only as good as its weakest 
element 
You need plans to revoke and replace compromised locks 


and keys just like CA certs and crypto keys 

Don’t trust “black box” security solutions 

We need to apply the same peer review and open source 
philosophy to analysing physical security 

Hold government, standards bodies, and manufacturers 
accountable for their screwups 


QUESTIONS! 
100 BAD 


@DarkSim9@5, (JOhnnyXm4s, ()iiteOwl 2600 


With Many thanks to ***Xylit01***, MS3FGX, Ігопдеек АРС, Deviant Ollam, David 
Knauer, PNTinDC, Click, and too many others | can't name. 


Uncredited images are courtesy NiteOwl, DarkSim905, JOhnny Xm4s, David Knauer, Deviant Ollam, and random Google Image search results. 
No ownership, permission, endorsement, or direct association is intended or implied. Trademarks are property of their respective owners, We are 
not Lawyers, keep hands and loose clothing clear of moving parts, do not operate heavy machinery while under the influence of this presentation. 


About 14 million checked bags passed through TSA hands during the Thanksgiving 
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Security officers have master keys for TSA-approved baggage locks. 
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Cut Depths(Green/dark blue): 
A: 0.6mm/3.45mm 

B: 0.87mm/4.30mm 

C: 0.29mm/3.66mm 

D: 1.13mm/3.62mm 


In the research samples Safe Skies locks are 
frequently not fully populated and stack 4 is 
often left un-populated, particularly in keyed 
pin-tumbler locks. 


